What Is Risk Management

Risk management is about understanding the internal and external project influences that can cause project failure. Once the project plan is built, a risk analysis should be carried out. The result of the initial risk analysis is a risk plan that should be reviewed frequently and adjusted accordingly. The main function of risk management is to identify and handle the uncommon causes of project variation. This is captured in a formal process in which risk factors are thoroughly identified, assessed, and provided for.

Within our software domain, the SEI definition is more than adequate: "Risk is the possibility of suffering loss." In a software development project, loss describes a negative impact to the project, which could be in the form of the diminished quality of the end product, increased costs, delayed completion, or outright project failure. Risk is uncertainty or lack of complete knowledge of the set of all possible future events. It can be classified as referring either to favorable or unfavorable future events.

Strictly speaking, risk involves only the possibility of suffering harm or loss. Risk can be categorized as:

● Internal, within the control of the project manager;

● External, outside the control of the project manager.

A software development project plan is only the best educated guess that can be made for planned events. Much can happen throughout the life cycle of the project that was not incorporated into the plan. This is variation. A good project manager minimizes variation through process management. Figure 1 illustrates the breadth of risk across the project, the classes of risk, and the project artifact where the risks are identified and their mitigation planned.

The project manager deals with risks resulting from three common classes:

1. Known knowns. These are risks known to the project team as both a category of risk and a reality of this project. An example of this is not having an executive sponsor for a large project places continued funding at risk. If there is no executive sponsor, this is a known type of risk and it is known to exist on this particular project. A known known risk could also be a category of risk that has been mitigated on this project. These risks are noted and explained in the project management plan.

2. Known unknowns. These are risks that are known to the project team as a category of risk, but not known as a reality on this project. For instance, not having access to the ultimate end-user is a risk in that requirements may not be correctly identified. In this project, if it is unknown whether there is access to the ultimate end-user, this is a known type of risk, but it is unknown whether the risk exists on this project. These risks are explained in the risk management plan where they are prioritized and updated on a weekly basis.

3. Unknown unknowns. These are risks that are unknown to the project team as both a category of risk and as a reality of this project. Although project managers use broad categories of risk, an unknown unknown can arise in the technology area. An example of this is when a project must use a specific technology solution because it is dictated by the terms of the contract for the project. Even though this in itself is a risk, with no experience in the tool, the project manager cannot know all the potential risks inherent in the tool's use. These can only be addressed in the most common way by setting a budget for contingencies.

Using both the project management and risk management plans, the project manager begins to identify contingency budgets. Figure 2 shows the relationship between risk and the dollar value of the project over the life cycle. Mapped across the IEEE 1074 project and product life cycle phases, the project investment gradually increases through the end of the requirements phase. Concept and system exploration, along with requirements, are the first three life cycle phases and are the phases where project planning has the greatest impact on risk mitigation. The inherent project risk is highest in these three phases and drops through project execution.

Design, implementation, and installation phases have the highest project execution risk reduction potential. In a world with experienced project managers and well-behaved projects, the risk continues to be reduced and the dollar value of the project investment smoothly increases. The final three phases, operations and support maintenance, and retirement have the lowest software development risk and the highest dollar investment. These three phases derive the highest risk impact from the product market.

The part of the figure labeled "Area of Highest Risk Mitigation Impact" covers requirements, design, implementation, and part of installation. This is the area of the project where the project manager has the most impact on risk mitigation. As long as risks are determined and mitigated, the amount of risk will smoothly decrease and project investment will continue on its predicted path. If risks are not identified and mitigated, the project cost will rapidly increase.

Project managers, as they are identifying the risks within the project life cycle and possible mitigation tactics, need to identify their level of risk tolerance. Varying by individual and organization, Figure 3 was derived from comparative responses to alternate-decision acts. A line going from the origin to the upper right corner at a 45 degree angle would represent neutral risk. This line represents the line of equilibrium points between the amount of dollars at stake and the probability of the risk event occurring. Risk-seeking individuals and teams follow the upper curved line, increasing the potential loss due to the risk event occurring. Risk avoiders are below the neutral line. Although risk may be avoided, there is an opportunity cost occurring below the neutral line. As more money is invested over time to avoid risk that will not occur, that money is lost for other investments. The opportunity to invest those monies is lost and the profit that could have been made is the opportunity cost. At a minimum, it is the interest lost by investing the monies in risk-free government bonds.

Business risks must be separated from the project idea of a "pure risk." Business or inherent risk is the chance for either profit or loss associated with any business endeavor. Pure or insurable risk only involves the chance for a loss. Examples of these losses are direct property loss, indirect consequential loss, personnel loss, and legal liability. Direct property losses include assets insurance, auto collision, fire, and theft. Examples of indirect consequential loss include contractor's protection for indirect losses suffered by a third party; removal of debris; and replacement of equipment. Legal liability is protection against legal actions for design errors, public injury, and project performance failures. Finally, personnel pure risk examples are factors such as workman's compensation and employee replacement costs.

Part of what risk management is "all about" is risk quantification. Concepts of risk quantification are:

● Risk Event: the precise description of what might happen to the project

● Risk Probability: the degree to which the risk event is likely to occur

● Amount at Stake: the loss if the outcome is unsatisfactory

● Risk exposure: the overall liability potential of the risk; the formula for risk exposure is represented by Figure 4

The contents available on this website are copyrighted by TechPlus unless otherwise indicated. All rights are reserved by TechPlus, and content may not be reproduced, published, or transferred in any form or by any means, except with the prior written permission of TechPlus.